×

Remote Training (Dec 7-8) : DevSecOps Masterclass 2020 Discoverer Edition Register Now

Threat Modeling
in Agile

Training Objective

Threat Modeling is considered an essential activity in the modern Software Development Life-cycle. It helps in identifying threats and possible vulnerabilities early, to a point where, if done correctly, the vulnerability never surfaces in a given environment or application. However, Threat Modeling is done ineffectively by most organizations. Threat Modeling has been reduced to infrequent and ineffective process. Most organizations do Threat Modeling for large systems, resulting in a “boil the ocean” effect, leading to ineffective Threat Analysis. Worse, this has no meaning or bearing on engineering and product teams that actually deliver these applications to customers.

What attendees will learn?

This training focuses on delivering effective Threat Modeling in the Agile SDLC. The training takes battle-tested threat modeling principles and methodologies and trains students on how they can implement an effective, yet efficient Threat Model in a time and resource constrained Agile (and DevOps) driven SDLC.

Course Agenda

  • What is Threat Modeling? Why is it important?
  • STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privileges)
  • Attack Tree
  • OCTAVE and NIST
  • PASTA Threat Modeling Methodolog
  • A Realistic picture of Agile Security Implementations:
  • Pitfalls and Challenges
  • Opportunities for Security in Agile
  • Security in DevOps => DevSecOps Implementation as an extension to Agile Security
  • Need for Security in Agile Development Teams
  • How Threat Modeling is the glue of Agile Security
  • Use of Threat Modeling Outputs for the entire SDLC
  • Scoping your Threat Model
  • Threat Modeling Inputs:
  • Requirements for a successful threat modeling
  • Facilitated Threat Model – Requirements and Design stage
  • Use of Elevation of Privilege Card Game for Threat Modeling at Requirements Gathering stage
  • Diagramming for Threat Models – Approaches with Data and Process Flow
  • Threat Model Branches:
  • Attack and Mitigation Models
  • Attacker Lists and Threat Trees
  • Helpful Tools and Tips
  • Threat Modeling Alternatives and Complements:
  • Table-top Exercises
  • Movie Plotting

 

  • Agile Threat Modeling = Requirements and Design Stage
  • Approach to Iterative, Feature-Driven Threat Modeling
  • Story-Driven Threat Modeling
  • Story => Abuser Stories
  • Write Abuser Stories for User Stories
  • Story => Threat Scenarios
  • Write Threat Scenarios for Abuser Stories and User Stories
  • Story => Test Cases
  • Write Acceptance Tests/Refutation Criteria
  • Agile Threat Modeling => Apply to Rest of SDLC
  • Using Threat Modeling => Development Process and Checks
  • Incorporate Threat Modeling Outputs to Static Checks
  • Incorporate Threat Modeling Outputs to Penetration Testing and Red-Teaming:
  • Incorporate Threat Modeling Outputs in Incident Response

- Deep-Dive Understanding of Injection Flaws like SQL Injection, Command Injection, Server-Side Template Injection and others

- Perform SQL Injection Attacks like a real-world adversary with the Cloud Labs and learn how it works

- Deep-Dive Understanding of Injection Flaws like SQL Injection, Command Injection, Server-Side Template Injection and others

- Perform SQL Injection Attacks like a real-world adversary with the Cloud Labs and learn how it works

- Deep-Dive Understanding of Injection Flaws like SQL Injection, Command Injection, Server-Side Template Injection and others

- Perform SQL Injection Attacks like a real-world adversary with the Cloud Labs and learn how it works

Conference Features

Our Application Security and Cloud Security programs is a regular feature at marquee application security conferences across the world.

Frequently Asked Questions

What would I be able to achieve through this training?

This training will help attendees develop a deep understanding of threat modeling practices and concepts. Additionally the training demonstrates threat modeling per feature which would help attendees achieve iterative threat modeling in an agile SDLC.

How would this program benefit Security and Product Engineers?

Threat modeling brings development and security teams closer. Security professionals better understand the architecture and workflow of the product while developers learn more about security threats specific to their product. Threat modeling therefore helps these teams to better appreciate what the other does, enabling better acknowledgement of security controls and remediation strategies.

Dates Coming Soon !

Agile Threat Modeling

2 Days
(5 Hours per day)

$450

Dates Coming Soon ! 
Get Notified

Would you rather have a private training conducted for your team? Enter your details here


    By checking this box you agree to receive communication on we45's events, product or solution offerings by email to your contact information.

    You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

    By clicking submit below, you consent to allow we45 to store and process your personal data to provide you the requested information.

    Additional Resources

    Threat Model, like Sherlock!

    While Sherlock is a fictional character, we can draw certain parallels to application security from his approach to deductive investigation. Sherlock uses something akin to a Threat Modeling approach to encompass for all factors prior to making deductions.

    we45 Webinar

    No actionable outputs usually emerge from Threat Modeling and thereby, the activity is relegated to the status of a “Policy/Best Practice Document”. We believe that threat models are playbooks of product security engineering and thus, we feel that the best way to conduct it is by integrating it into the Software Development Lifecycle (SDLC).

    Open Source Project: Threat Playbook

    It is our belief that Threat Models should produce actionable outputs. Which is why, we have developed “ThreatPlaybook” – an open source “Threat Modeling as Code” framework, that allows product teams to capture user stories, abuser stories, threat models and security test cases in YAML files.